Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Server friendly slowban. Possible?

How is it possible to implement a slowban that will not be a tool for DoS to our site?

The problem is that a deliberate delay in serving an http response will keep server resources busy (web server threads and possibly other subsystems).

like image 238
cherouvim Avatar asked Jun 09 '11 13:06

cherouvim


2 Answers

If your web application is complex and takes up considerable resources, it might be the wrong place to implement a slowban due to the problematic of a slowloris-attack.

Instead, you could introduce the slowban by proxying your application through a lightweight proxy or webserver like lighttpd or nginx serving from cache and static content and utilizing your firewall. From there, you may shape the bandwidth in your firewall, keeping the needed resources relatively low, as the connection of a troll is mainly served by the lightweight proxy instead of your heavy application server.

While this has some dangers to consider in itself (namely to enable a possibly insecure application to insert ip-based rules in your firewall), iptables and the kernel are relatively easy on resources.

The only thing you have to consider is the amount of open connections your system may tolerate and when to start killing the longest open connections to make room for new ones. Definetly prepare your site for fighting against low bandwidth-attacks.

like image 131
Lars Avatar answered Oct 02 '22 22:10

Lars


You could incorporate the slowban with resource monitoring so that if it becomes apparent the slowbanned user is attempting to DoS, they will be permabanned instead.

like image 30
CassOnMars Avatar answered Oct 02 '22 23:10

CassOnMars